fix(destination): validate network server pairing

Ensure destination attach and promote operations only accept networks that belong to the selected server, preventing mismatched same-team server/network pairs.
2026-05-26 14:48:36 +02:00 · 2026-05-26 14:48:36 +02:00 · f44ace3965
commit f44ace3965
parent 579ce3064f
2 changed files with 24 additions and 2 deletions
--- a/app/Livewire/Project/Shared/Destination.php
+++ b/app/Livewire/Project/Shared/Destination.php
@ -112,7 +112,7 @@ public function promote(int $network_id, int $server_id)
    {
        try {
            $server = Server::ownedByCurrentTeam()->findOrFail($server_id);
-            $network = StandaloneDocker::ownedByCurrentTeam()->findOrFail($network_id);
+            $network = StandaloneDocker::ownedByCurrentTeam()->where('server_id', $server->id)->findOrFail($network_id);
            $this->authorize('update', $this->resource);

            $main_destination = $this->resource->destination;
@ -140,7 +140,7 @@ public function addServer(int $network_id, int $server_id)
    {
        try {
            $server = Server::ownedByCurrentTeam()->findOrFail($server_id);
-            $network = StandaloneDocker::ownedByCurrentTeam()->findOrFail($network_id);
+            $network = StandaloneDocker::ownedByCurrentTeam()->where('server_id', $server->id)->findOrFail($network_id);
            $this->authorize('update', $this->resource);

            $this->resource->additional_networks()->attach($network->id, ['server_id' => $server->id]);
--- a/tests/Feature/CrossTeamDestinationAttachTest.php
+++ b/tests/Feature/CrossTeamDestinationAttachTest.php
@ -98,6 +98,16 @@
        expect($this->applicationA->fresh()->additional_networks)->toHaveCount(0);
    });

+    test('cannot attach own network paired with wrong own server', function () {
+        try {
+            Livewire::test(Destination::class, ['resource' => $this->applicationA])
+                ->call('addServer', $this->destinationA2->id, $this->serverA->id);
+        } catch (Throwable $e) {
+        }
+
+        expect($this->applicationA->fresh()->additional_networks)->toHaveCount(0);
+    });
+
    test('can attach own team\'s server + network to own application', function () {
        Livewire::test(Destination::class, ['resource' => $this->applicationA])
            ->call('addServer', $this->destinationA2->id, $this->serverA2->id);
@ -121,4 +131,16 @@

        expect($this->applicationA->fresh()->destination_id)->toBe($originalDestinationId);
    });
+
+    test('cannot promote own network paired with wrong own server', function () {
+        $originalDestinationId = $this->applicationA->destination_id;
+
+        try {
+            Livewire::test(Destination::class, ['resource' => $this->applicationA])
+                ->call('promote', $this->destinationA2->id, $this->serverA->id);
+        } catch (Throwable $e) {
+        }
+
+        expect($this->applicationA->fresh()->destination_id)->toBe($originalDestinationId);
+    });
 });